yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...

Sylvain Robitaille syl at alcor.concordia.ca
Sat Mar 29 06:29:56 CET 2008 

On Fri, 28 Mar 2008, Ivan Kalik wrote:

> You have obviously ignored the warnings about storing User-Password
> attribute:

No, I don't believe that I can be said to have ignored it at all.
In fact, I'm under the impresseion that I made very clear in my earlier
message that I'm not ignoring this warning.  I may not be doing the right
thing to deal correctly with what causes it, but that's another matter
entirely, and why I am putting myself at the mercy of experts for help.

I wrote:

>> The text "User-Password" appears in exactly the following places in my
>> raddb directory (not counting comment lines):
>> 
>> ./attrs.pre-proxy:      User-Password =* ANY,
>> ./sql/mysql/dialup.conf:
>> '%{%{User-Password}:-%{Chap-Password}}', \
>> ./sql/postgresql/dialup.conf:  VALUES ('%{User-Name}',
>> '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
>> 
>> These files are as shipped with FreeRADIUS-2.0.3.  I'm trying to get
>> this done with minimal change to the default configuration, since it
>> appears that's what is expected.  Which of the above needs to change?
>> (attrs.pre-proxy?)

> ... So server translates User-Password to Cleartext-Password and the
> check fails since the password is encrypted.

Understood, yes.

> Configure ldap section to use SSHA-Password as password attribute instead.

That's what I believed I HAD done with the following, from the diff of
my radiusd.conf file against the default radiusd.conf that ships with
2.0.3, orignally included after the signature in my first message:

>> @@ -820,7 +825,8 @@
>>  		#  Novell may require TLS encrypted sessions before returning
>>  		#  the user's password.
>>  		#
>> -		# password_attribute = userPassword
>> +		password_attribute = userPassword
>> +                password_radius_attribute = "SSHA-Password"

If the above is not the correct way to accomplish what I am trying to
do, I would be very grateful if someone would point me in the right
direction to find what is the correct way.

The radtest test against a user in the LDAP data succeeds.  How do I get
from here to having successful authentication through TTLS against the
same LDAP data, without the above warning?

>>    radtest j_doe '*SANITIZED*' localhost:1814 1 testing123
>>            User-Name = "j_doe"
>>            User-Password = "*SANITIZED*"
>>            NAS-IP-Address = 192.168.7.47
>>            NAS-Port = 1
>> 
>> Older versions of radtest would report receiving "Access-Accept", while
>> this one silently exists.  However, radiusd in this case says:
>> 
>> Ready to process requests.
>>         User-Name = "j_doe"
>>         User-Password = "*SANITIZED*"
>>         NAS-IP-Address = 192.168.7.47
>>         NAS-Port = 1
>> +- entering group authorize
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>>     rlm_realm: No '@' in User-Name = "j_doe", looking up realm NULL
>>     rlm_realm: No such realm "NULL"
>> ++[suffix] returns noop
>>   rlm_eap: No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[unix] returns notfound
>> ++[files] returns noop
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for j_doe
>>         expand: %{Stripped-User-Name} ->
>>         expand: %{User-Name} -> j_doe
>>         expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(search filter
>> trimmed for brevity)) -> (&(cn=j_doe)(search filter trimmed for brevity))
>>         expand: ou=people,dc=concordia,dc=ca -> ou=people,dc=concordia,dc=ca
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to localhost boris:389, authentication 0
>> rlm_ldap: bind as cn=iits_neg,ou=AdminRoles,dc=concordia,dc=ca/*SANITIZED* to
>> localhost boris:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=people,dc=concordia,dc=ca, with filter
>> (&(cn=j_doe)(search filter trimmed for brevity))
>> rlm_ldap: Added User-Password = {SSHA}*SANITIZED*QDmffXBQkU42Wt9x*SANITIZED*==
>> in check items
>> rlm_ldap: looking for check items in directory...
>> rlm_ldap: looking for reply items in directory...
>> rlm_ldap: user j_doe authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> ++[pap] returns updated
>>   rad_check_password:  Found Auth-Type auth: type "PAP"
>> +- entering group PAP
>> rlm_pap: login attempt with password "*SANITIZED*"
>> rlm_pap: Using SSHA encryption.
>> rlm_pap: Normalizing SSHA1-Password from base64 encoding
>> rlm_pap: User authenticated successfully
>> ++[pap] returns ok
>> Login OK: [j_doe/*SANITIZED*] (from client localhost port 1)
>> Finished request 0.
>> Going to the next request

Thanks for following up, and for any additional help ...

-- 
----------------------------------------------------------------------
Sylvain Robitaille                              syl at alcor.concordia.ca

Systems and Network analyst                       Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------

More information about the Freeradius-Users mailing list